VMware patch batch fixes 20 security flaws

VMware patch batch fixes 20 security flaws

Summary: VMware patches a total of 20 different vulnerabilities affecting all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE and VMware Player.

SHARE:
TOPICS: Security, VMware
4

VMWare patch bingeVirtualization software specialist VMware has shipped a batch of "critical" security updates to cover gaping holes in a wide range of its server and workstation products.

An advisory from VMware lists a total of 20 different vulnerabilities affecting all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE and VMware Player.

The company warned that attackers can exploit these bugs to launch code execution or denial-of-service attacks. In certain scenarios, a successful exploit would allow an attacker to escape from a guest system in a VM or shut down processes on the host.

[SEE: VMware buys Determina ]

Secunia rates the patch batch as "moderately critical" but issued a separate alert for the VMware ESX Server issue which carries a "highly critical" rating:

This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, perform certain actions with escalated privileges, or to cause a DoS (Denial of Service), by malicious users to bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

Download locations for product patches are available in the VMware advisory.

Topics: Security, VMware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • So just out of curiousity

    Do these vulnerabilities affect all OS's running virtual machines?
    Kid Icarus-21097050858087920245213802267493
    • Some do, some don't

      Read the advisory.
      Real World
      • question

        how can you tell if you have it or not
        all_4_him06
  • For ESX, these are console related only

    It's important to note that on the ESX or now Vi 3, these issues are related to the Linux-based console section and not the vmkernel which runs the VMs. The console can completely crash (and I've seen it do it) and the vmkernel along with the VMs still run just fine. You can no longer manage them outside the VM OS, get to their consoles, etc. and Virtual Center can also no longer reach them or the host but you can still get to the VMs over the network, which is how it should be done anyways. This isolation is the strength of ESX over other hosted virtualization platforms.

    It's also important to realize that most of these are patches to different packages that ship with Linux, and some don't ship to ESX at all by default, so if you are not running say, Samba, or PAM, or BIND then these do not affect you.

    Also, with the use of VMotion, you can patch the ESX console without down time to your VMs. Many times you'll see something like this on VMware's patch page:

    " Note: The VMware service console does not provide the kadmind (whatever package), and is not affected by these issues, but a fix has been provided for completeness."

    They know people will buck best practices and run stuff in the console so they try to keep folks from shooting themselves in the foot.

    This is why you should only run the absolute minimum of components in the console and you have that locked down allowing only the minimum ports. I configure all my host console to only have only ssh, http/s open, and I configure httpd.vmware to not start automatically.
    markdean